-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2021-01-006.yaml
44 lines (44 loc) · 1.74 KB
/
CAR-2021-01-006.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
---
title: Unusual Child Process spawned using DDE exploit
submission_date: 2020/12/03
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Cyware Labs
id: CAR-2021-01-006
description: |
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
coverage:
- technique: T1559
coverage: Low
subtechniques:
- T1559.002
tactics:
- TA0002
implementations:
- name: Splunk search - Unusual Child Process spawned using DDE exploit
description: This Splunk query looks for any executable invocations from an Excel file.
code: |
index = __your_sysmon__index__ (ParentImage="*excel.exe" OR ParentImage="*word.exe" OR ParentImage="*outlook.exe") Image="*.exe"
data_model: Sysmon native
type: Splunk
- name: Splunk search - Unusual Child Process spawned using DDE exploit
description: This Splunk query looks for any executable invocations from an Excel file.
code: |
processes = search Process:Create
target_processes = filter processes where (
(parent_image="*excel.exe" OR parent_image="*word.exe" OR parent_image="*outlook.exe")
AND image="*.exe"
)
type: Pseudocode
data_model_references:
- process/create/command_line
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis